[Samba] Secure dynamic update failure with internal DNS
James
lingpanda101 at gmail.com
Tue Oct 27 17:51:13 UTC 2015
Hello,
At one point secure dynamic updates worked. Now I require 'allow
dns updates = nonsecure' for dynamic updates to work. I can't seem to
find any trace of updates being performed in the samba logs or Windows.
I've hit a wall and can't seem to progress. Since I couldn't pull
anything from the logs I decided to run 'nsupdate -g -d -D -L 10'. This
was my initial result.
nsupdate -g -d -D -L 10
setup_system()
27-Oct-2015 13:14:49.420 dns_requestmgr_create
27-Oct-2015 13:14:49.420 dns_requestmgr_create: 0x7fb3edeaf010
reset_system()
user_interaction()
get_next_command()
> update delete itdept-desktop.domain.local 86400 A 172.16.232.30
evaluate_update()
update_addordelete()
get_next_command()
> send
start_update()
27-Oct-2015 13:15:15.438 dns_request_createvia
27-Oct-2015 13:15:15.439 request_render
27-Oct-2015 13:15:15.439 requestmgr_attach: 0x7fb3edeaf010: eref 1 iref 1
27-Oct-2015 13:15:15.439 mgr_gethash
27-Oct-2015 13:15:15.439 req_send: request 0x7fb3edea0eb0
27-Oct-2015 13:15:15.439 dns_request_createvia: request 0x7fb3edea0eb0
27-Oct-2015 13:15:15.439 req_senddone: request 0x7fb3edea0eb0
27-Oct-2015 13:15:15.441 req_response: request 0x7fb3edea0eb0: success
27-Oct-2015 13:15:15.441 req_cancel: request 0x7fb3edea0eb0
27-Oct-2015 13:15:15.441 req_sendevent: request 0x7fb3edea0eb0
recvsoa()
About to create rcvmsg
27-Oct-2015 13:15:15.441 dns_request_getresponse: request 0x7fb3edea0eb0
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:64900
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;itdept-desktop.domain.local.INSOA
27-Oct-2015 13:15:15.441 dns_request_destroy: request 0x7fb3edea0eb0
27-Oct-2015 13:15:15.441 req_destroy: request 0x7fb3edea0eb0
27-Oct-2015 13:15:15.441 requestmgr_detach: 0x7fb3edeaf010: eref 1 iref 0
27-Oct-2015 13:15:15.441 dns_request_createvia
27-Oct-2015 13:15:15.441 request_render
27-Oct-2015 13:15:15.441 requestmgr_attach: 0x7fb3edeaf010: eref 1 iref 1
27-Oct-2015 13:15:15.441 mgr_gethash
27-Oct-2015 13:15:15.441 req_send: request 0x7fb3edea0eb0
27-Oct-2015 13:15:15.441 dns_request_createvia: request 0x7fb3edea0eb0
Out of recvsoa
27-Oct-2015 13:15:15.441 req_senddone: request 0x7fb3edea0eb0
27-Oct-2015 13:15:15.442 req_response: request 0x7fb3edea0eb0: success
27-Oct-2015 13:15:15.442 req_cancel: request 0x7fb3edea0eb0
27-Oct-2015 13:15:15.442 req_sendevent: request 0x7fb3edea0eb0
recvsoa()
About to create rcvmsg
27-Oct-2015 13:15:15.442 dns_request_getresponse: request 0x7fb3edea0eb0
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:54937
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;domain.local.INSOA
;; ANSWER SECTION:
domain.local.3600INSOApfdc1.domain.local. hostmaster.domain.local. 432
900 600 86400 3600
Found zone name: domain.local
The master is: pfdc1.domain.local
start_gssrequest
27-Oct-2015 13:15:15.443 Failure initiating security context: GSSAPI
error: Major = Unspecified GSS failure.Minor code may provide more
information, Minor = Credentials cache file '/tmp/krb5cc_0' not found.
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.Minor
code may provide more information, Minor = Credentials cache file
'/tmp/krb5cc_0' not found.
--------------------------------------------------------------------------------------------------------------------------------------------
I see this section
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.Minor
code may provide more information, Minor = Credentials cache file
'/tmp/krb5cc_0' not found.
I thought the cache file was automatically created? None the less I
execute 'kinit' for administrator which creates the cache file
'krb5cc_0'. I run the following again 'nsupdate -g -d -D -L 10'. This
time I get this result.
nsupdate -g -d -D -L 10
setup_system()
27-Oct-2015 13:37:38.729 dns_requestmgr_create
27-Oct-2015 13:37:38.729 dns_requestmgr_create: 0x7f6b29d2c010
reset_system()
user_interaction()
get_next_command()
> update add itdept-desktop.domain.local 86400 A 172.16.232.30
evaluate_update()
update_addordelete()
get_next_command()
> send
start_update()
27-Oct-2015 13:38:01.507 dns_request_createvia
27-Oct-2015 13:38:01.507 request_render
27-Oct-2015 13:38:01.507 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 1
27-Oct-2015 13:38:01.507 mgr_gethash
27-Oct-2015 13:38:01.507 req_send: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.507 dns_request_createvia: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.507 req_senddone: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.509 req_response: request 0x7f6b29d1deb0: success
27-Oct-2015 13:38:01.509 req_cancel: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.509 req_sendevent: request 0x7f6b29d1deb0
recvsoa()
About to create rcvmsg
27-Oct-2015 13:38:01.509 dns_request_getresponse: request 0x7f6b29d1deb0
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:63949
;; flags: qr rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;itdept-desktop.domain.local.INSOA
27-Oct-2015 13:38:01.509 dns_request_destroy: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.509 req_destroy: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.509 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 0
27-Oct-2015 13:38:01.509 dns_request_createvia
27-Oct-2015 13:38:01.509 request_render
27-Oct-2015 13:38:01.509 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 1
27-Oct-2015 13:38:01.509 mgr_gethash
27-Oct-2015 13:38:01.509 req_send: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.509 dns_request_createvia: request 0x7f6b29d1deb0
Out of recvsoa
27-Oct-2015 13:38:01.509 req_senddone: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.511 req_response: request 0x7f6b29d1deb0: success
27-Oct-2015 13:38:01.511 req_cancel: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.511 req_sendevent: request 0x7f6b29d1deb0
recvsoa()
About to create rcvmsg
27-Oct-2015 13:38:01.511 dns_request_getresponse: request 0x7f6b29d1deb0
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:30700
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;domain.local.INSOA
;; ANSWER SECTION:
domain.local.3600INSOApfdc1.domain.local. hostmaster.domain.local. 434
900 600 86400 3600
Found zone name: domain.local
The master is: pfdc1.domain.local
start_gssrequest
Found realm from ticket: DOMAIN.LOCAL
send_gssrequest
27-Oct-2015 13:38:01.512 dns_request_createvia
27-Oct-2015 13:38:01.512 request_render
27-Oct-2015 13:38:01.512 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 2
27-Oct-2015 13:38:01.512 mgr_gethash
27-Oct-2015 13:38:01.512 dns_request_createvia: request 0x7f6b29d36010
show_message()
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:38947
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;1384447838.sig-pfdc1.domain.local. ANYTKEY
;; ADDITIONAL SECTION:
1384447838.sig-pfdc1.domain.local. 0 ANYTKEYgss-tsig. 1445967481
1445967481 3 NOERROR 1361
YIIFTQYGKwYBBQUCoIIFQTCCBT2gDTALBgkqhkiG9xIBAgKiggUqBIIF
JmCCBSIGCSqGSIb3EgECAgEAboIFETCCBQ2gAwIBBaEDAgEOogcDBQAg
AAAAo4IEB2GCBAMwggP/oAMCAQWhDBsKQ0lNRy5MT0NBTKIiMCCgAwIB
AaEZMBcbA0ROUxsQcGZkYzEuY2ltZy5sb2NhbKOCA8QwggPAoAMCAReh
AwIBAaKCA7IEggOuPGo1wWiP4AIoX/nU3Iu4j0f18968rH7oUciBXVUb
XVZvo+nKKmTnR0dC4ugcxJGj2uwBaDWe4PvGmCOsvhcbd8aCS8bBiH8M
IF3fgivtxHCMhDQKCID6MTCQapGGddDJBqH6HpBc8sAjfakeGI4kUvjK
q4vqfbvUTVoiWGkmHLZD648HFmKL3LKmEp2ou2r9MXspswVHjVloJsOA
hJnPu51txYDi1bb0UrXEpHWjyma8Jap4zMIS47dYjYDZ/Ly/jtsR+eu+
I5epBr3L8xq9RO5Ta4qzePxAtnzGb1Fpr9hiu5jkrNGAbxVKETCljxB7
pfGw+tB/lxC0RrvFeEyThGP3jnUpXvPFjdkk7Pdax65IMRF36liriSxm
tDUTNyE1TYLrqhZnXw2rAMwKESKpv9rOHmocGivZLJIpIW3edLqUY06j
RgMs7Sc6vI0kJgeuWEjj8knrzWVdvauxoSFAAafsnZ/gfCII0XWg+nU0
w/uQ4HVY6BhhjX288fZeeVkYds0ZQNhNqgs0osJWfEDvqnZh+0Oe9SkQ
J13FcT4Smj8I7+caqnsN0kceMbueUi+pyifx1A+qn2Qv6ejOl15DMQAC
0joUmB05R/a5eOVocTParEpWKYO1zstdYvLq5F+dj8n6AgQKHl7YMuCo
vPLLnmbFQvAyzo4wpjkdeC6McdPJQASFFknSd4b7z/82XrnGiJbli8Ag
IYTjV+AOAfg4NWNnJERAKD3UQmu63r+A/JBtBpetEhyEu/oLnvigWfgo
xx8lqpQelsPpMfFr/dVCmvSk77xMANTQ11i/Zb8utOV7TMv3AJ1u9LXk
rcezkT+K0eOPs3MkOgZ+WCIMpWD7cLEGzDcYLBaz73hY/qF3xhsdyKnh
U04PuT3WE29nUEg1o/9RbcUMsrkQtFQfhwgkCqIVulxjtsWSGwSsi/Je
ktQjqikSOMKAhnB1kiT8Sj+njIMXjtWU+m/tOlBM7h4gOCOL0aMdBYDE
l6h8LF4c7I9llF1TcmO0wFIEnjsVTKoEI2oSZfe3buM9weXIGeyEtZ5e
NLdaWBxzMagq5UNSXiFwRs7OT4WThLr5CkSHpf0EryH0S4EGaAc04L4q
wXLTJHIBhxYj/dWECQEkEm4yaikkiYiGHbcXTKlcQl5bn9WMfINmwxr5
N6IAq/U2mrjTlu8yQ+TM6NkWnzEbAAhiH0E0BpJMeFMoyIjMcXJQPhxW
VZkgnpcPzKDdJCiixuDKHV6TJ30AmaxYgJYC5DeepIHsMIHpoAMCARei
geEEgd4fCZLEBK9cTemu0+hDgcmiU0jDQSWI4Y1quCYKfus7nNCPJffR
qhQE991bWWHuVYBQLbkPm2+cR5rAuRtzqXu4yX9M3yzhsAnRnlv/zQg2
Ahucg0xG6nC6ARV3yoWyV8V1W3/EYowfwUmDfm/pXesFgMxNAO9rygzv
NTCm0pzJUU/Tq6nL/oDtZO1R6ol+An3+iZB0ZjtEGv8bzq2kKrCrwYut
AvnR37ol9pLG15HBPni/LG4PQnRqxshr2+krab4/HL38/7ynZizN/KG9
v0J+EOOiabHrZkAQyHoponA= 0
27-Oct-2015 13:38:01.512 dns_request_destroy: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.512 req_destroy: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.512 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 1
Out of recvsoa
27-Oct-2015 13:38:01.512 req_connected: request 0x7f6b29d36010
27-Oct-2015 13:38:01.513 req_send: request 0x7f6b29d36010
27-Oct-2015 13:38:01.513 req_senddone: request 0x7f6b29d36010
27-Oct-2015 13:38:01.523 req_response: request 0x7f6b29d36010: success
27-Oct-2015 13:38:01.523 req_cancel: request 0x7f6b29d36010
27-Oct-2015 13:38:01.523 req_sendevent: request 0x7f6b29d36010
recvgss()
recvgss creating rcvmsg
27-Oct-2015 13:38:01.523 dns_request_getresponse: request 0x7f6b29d36010
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:38947
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;1384447838.sig-pfdc1.domain.local. ANYTKEY
;; ANSWER SECTION:
1384447838.sig-pfdc1.domain.local. 0 ANYTKEYgss-tsig. 1445967481
1445967481 3 NOERROR 182
oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRr4rBfZLZEDlMf
xEOrOtGsFid2hIWdFfFECDMGt9jmstD2wB1yAE3FiVqv0cZd1F3z22zR
hcMtHSWFx1VhvA8ob0TGBpfe8FagJ0Osgt7tV7z9oKi2sE3QnZcKkkl+
LrUyTDMe8fqUdCsL+RM= 0
;; TSIG PSEUDOSECTION:
1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300 28
BAQF//////8AAAAAImyAou7Y6kl8XKcarfaOeQ== 38947 NOERROR 0
send_update()
Sending update to 172.16.232.29#53
27-Oct-2015 13:38:01.523 dns_request_createvia
27-Oct-2015 13:38:01.523 request_render
27-Oct-2015 13:38:01.523 requestmgr_attach: 0x7f6b29d2c010: eref 1 iref 2
27-Oct-2015 13:38:01.523 mgr_gethash
27-Oct-2015 13:38:01.523 dns_request_createvia: request 0x7f6b29d1deb0
show_message()
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:34024
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; UPDATE SECTION:
itdept-desktop.domain.local. 86400 INA172.16.232.30
;; TSIG PSEUDOSECTION:
1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300 28
BAQE//////8AAAAAGCwKBRKMONp5I7ZtKq4gJA== 34024 NOERROR 0
27-Oct-2015 13:38:01.523 dns_request_destroy: request 0x7f6b29d36010
27-Oct-2015 13:38:01.523 req_destroy: request 0x7f6b29d36010
27-Oct-2015 13:38:01.523 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 1
Out of recvgss
27-Oct-2015 13:38:01.523 req_connected: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.523 req_send: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.524 req_senddone: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.998 req_response: request 0x7f6b29d1deb0: success
27-Oct-2015 13:38:01.998 req_cancel: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.998 req_sendevent: request 0x7f6b29d1deb0
update_completed()
27-Oct-2015 13:38:01.998 dns_request_getresponse: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.998 GSS verify error: GSSAPI error: Major = A token
had an invalid Message Integrity Check (MIC), Minor = Success.
27-Oct-2015 13:38:01.998 tsig key '1384447838.sig-pfdc1.domain.local'
(<null>): signature failed to verify(1)
; TSIG error with server: tsig verify failure
show_message()
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:34024
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;domain.local.INSOA
;; UPDATE SECTION:
itdept-desktop.domain.local. 86400 INA172.16.232.30
;; TSIG PSEUDOSECTION:
1384447838.sig-pfdc1.domain.local. 0 ANYTSIGgss-tsig. 1445967481 300 28
BAQF//////8AAAAAImyAo3PobOaGOyFvcHpIfQ== 34024 NOERROR 0
27-Oct-2015 13:38:01.998 dns_request_destroy: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.998 req_destroy: request 0x7f6b29d1deb0
27-Oct-2015 13:38:01.998 requestmgr_detach: 0x7f6b29d2c010: eref 1 iref 0
done_update()
reset_system()
user_interaction()
get_next_command()
-----------------------------------------------------------------------------------------------------------------------------
This time you can see the update succeeded. The TSIG Verify failure has
always been a issue with the internal DNS. This never stopped secure
dynamic updates before. What does 'samba_dnsupdate' do differently that
could cause the updates to fail? I looked through the script but
couldn't find anything to help. A packet trace with Wireshark doesn't
give me much help either.
Flags: 0xa805 Dynamic update response, Refused CNAME
Any ideas where I need to look next? Relevant system info below.
Ubuntu 12.04 LTS DC
Samba 4.3.1
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
netbios name = PFDC1
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = Yes
log file = /usr/local/samba/var/log.%m
log level = 1
logging = syslog at 1 file
allow dns updates = secure only
#Disable CUPS Printing
load printers = No
printcap name = /dev/null
disable spoolss = Yes
# Add and Update TLS Key
tls enabled = yes
tls keyfile = tls/sambaKey.pem
tls certfile = tls/sambaCert.pem
tls cafile =
#tls crlfile =
#tls dh parms file =
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
--
-James
More information about the samba
mailing list